[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Resource-location
Hi John and David,
Fwiw, the original defn is in this email:
"BASE:resource:resource-locationAnother "passing" comment was made here:
(resource location obtained by removing simple-file-name and xpath attributes from resource-uri.
E.g. http://org/A00.xml#xpointer(/employee/name) has a resource-location of "http://org"; "
"I believe some policies will refer to resource-id,In general, imo, a "resource-id" probably should be a URI that simply
and some others might refer to resource-category,
or some other hypothetical attribute of the resource. "
"identifies" the resource, and "resource-location" should probably
be the URL where the resource can be found. In practice, I think
URL is often "overloaded" to meet both the id and location properties
of a resource, however, since "locations" often change, it seems that
a longer term strategy would be to distinguish id and location a little
better, although I don't think this is the job of xacml, except, possibly
in the sense of advising best practices for policy defns.
On 8/7/2013 12:45 PM, Tolbert, John W wrote:
That’s an interesting use case you wrote below. Would you use string for the data-type in that case? I was thinking that the ipAddress, dnsName, and anyURI data types would work well for this attribute too.
Thanks for the info.
It sometimes makes sense to define where a resource is located. Imagine a purchase order (PO). A PO would have been issued in a given location e.g. Texas. You could then write a rule as follows:
a user can view a purchase order if and only if user.location==resource.location.
You can then use urn:oasis:names:tc:xacml:1.0:resource:resource-location to implement the resource location attribute. We have quite a few location-based access control use cases here at Axiomatics that are like that.
On Wed, Aug 7, 2013 at 5:35 PM, Tolbert, John W <firstname.lastname@example.org> wrote:
Questions for those who have created policies with resource attributes (from section 10.2.6 “Identifiers” in the core, p.97):
Has anyone used the following identifier, and if so, for what purpose?:
I am imagining a use case where one might want to direct/restrict certain user groups to specific network locations or environments. Examples may include production / pre-production / development, or different views of the same resource for different user groups.
David Brossard, M.Eng, SCEA, CSTP
+46(0)760 25 85 75
S-111 30 Stockholm, Sweden
Rich Levinson | Internet Standards Security Architect
Mobile: +1 978 5055017
Oracle Identity Management
45 Network Drive | Burlington, Massachusetts 01803
Oracle is committed to developing practices and products that help protect the environment